Bug 442139

Summary: AVC errors modifying X settings
Product: [Fedora] Fedora Reporter: John Poelstra <poelstra>
Component: system-config-displayAssignee: Adam Jackson <ajax>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, katzj, notting, xgl-maint
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-20 18:39:04 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235706    

Description John Poelstra 2008-04-11 20:23:02 EDT
Description of problem:
see alert message from attempting to change screen resolution.  created a new
user when reproducing to verify that problem wasn't stale home dir file.

Version-Release number of selected component (if applicable):
# rpm -qa | grep selinux | sort

How reproducible:

Steps to Reproduce:
1. attempt to change screen resolution
2. attempt fails
3. attempt to write to changes and error fails


SELinux is preventing the Xorg from using potentially mislabeled files

Detailed Description:

SELinux has denied Xorg access to potentially mislabeled file(s)
(/home/goofball/.xsession-errors). This means that SELinux will not allow Xorg
to use these files. It is common for users to edit files in their home directory
or tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want Xorg to access this files, you need to relabel them using restorecon
-v '/home/goofball/.xsession-errors'. You might want to relabel the entire
directory using restorecon -R -v '/home/goofball'.

Additional Information:

Source Context                unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/goofball/.xsession-errors [ file ]
Source                        Xorg
Source Path                   /usr/bin/Xorg
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           xorg-x11-server-Xorg-
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-33.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.25-0.218.rc8.git7.fc9.x86_64 #1 SMP Wed Apr 9
                              19:55:19 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 11 Apr 2008 05:13:31 PM PDT
Last Seen                     Fri 11 Apr 2008 05:13:31 PM PDT
Local ID                      c76c1925-ae25-4b43-a569-3dd82f6e9066
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1207959211.814:15): avc:  denied 
{ append } for  pid=2965 comm="Xorg" path="/home/goofball/.xsession-errors"
dev=sdb1 ino=27459599
tcontext=system_u:object_r:user_home_t:s0 tclass=file

host=localhost.localdomain type=AVC msg=audit(1207959211.814:15): avc:  denied 
{ read write } for  pid=2965 comm="Xorg" path="/var/log/Xorg.setup.log" dev=sda5
ino=9785 scontext=unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1207959211.814:15):
arch=c000003e syscall=59 success=yes exit=0 a0=1114a20 a1=1195050
a2=7fff2c935620 a3=7fff2c934880 items=0 ppid=2964 pid=2965 auid=501 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="Xorg"
exe="/usr/bin/Xorg" subj=unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c1023
Comment 1 Daniel Walsh 2008-04-14 09:07:18 EDT
system-config-display is creating the log file without the correct context. 
After it creates the file it should run restorecon on the file.

I will fix the output to .xsession in the next policy update.
Comment 2 Daniel Walsh 2008-04-15 09:43:36 EDT
This is a bug in system-config-display creation of the log files.
Comment 3 Bill Nottingham 2008-04-17 15:58:26 EDT
How is it supposed to create the log file?
Comment 4 Jeremy Katz 2008-04-18 13:54:01 EDT
John -- how were you changing the resolution?  This is looking fine to me with
the PR livecd
Comment 5 John Poelstra 2008-04-18 13:58:00 EDT

i'll do a free re-sinstall and see what happens
Comment 6 John Poelstra 2008-04-20 18:39:04 EDT
no AVC errors, but changing resolution is still broken in that you can change to
a lower resolution, but when you go to change it back the higher resolution it
is no longer an option.  Since AVCI was root cause for this bug i'll open a new bug.